Exam SC-100 topic 1 question 11 discussion

if data need to go to splunk then event hub. https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html

B. Data connectors are for receiving data not to send data

Azure Event Hub is the correct answer.

hub de eventos do azure

Azure Event Hub is the correct answer. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

Azure Event Hubs. "to send security events from Microsoft Sentinel to Splunk" https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html - Event Hubs can process data or telemetry produced from your Azure environment. They also provide us a scalable method to get your valuable Azure data into Splunk! https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029 - Another option would be to implement a Side-by-Side architecture with Azure Event Hub. Not a Microsoft Sentinel data connector - Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs 'from' Splunk platform using the Azure HTTP

Answer B Preparation : The following tasks describe the necessary preparation and configurations steps. Onboard Azure Sentinel Register an application in Azure AD Create an Azure Event Hub Namespace Prepare Azure Sentinel to forward Incidents to Event Hub Configure Splunk to consume Azure Sentinel Incidents from Azure Event Hub Using Azure Sentinel Incidents in Splunk

B. Events Hubs | Azure Event Hubs can be used to buffer and route events between Microsoft Sentinel and Splunk. This option provides scalability and reliability in handling high volumes of security events.

I must say that I do think it's strange and unusual for a Microsoft exam to have a scenario where data is going from their own product to a third party's. It's to my experience always the other way. Therefor I suspect that it could be a typo saying "from Sentinel to Splunk". It's more likely to be "to Sentinel from Splunk". I.e. Sentinel Data connectors If appearing on a test make sure to read carefully...

To send security events from Microsoft Sentinel to Splunk, you should use a Microsoft Sentinel data connector. Data connectors in Microsoft Sentinel are used to export security events and logs to external systems, and Splunk is a supported destination for these connectors. So, the correct recommendation is: A. a Microsoft Sentinel data connector

Rule of thumb - always go with most votes!!

To send security events from Microsoft Sentinel to Splunk, you would typically use Azure Event Hubs as the messaging service that can integrate with both solutions. Azure Event Hubs can be used to collect and stream event data into various services, and it's suitable for integration with third-party SIEM solutions like Splunk. So, the correct answer to include in the recommendation would be: B. Azure Event Hubs.

my 2 cents: given the options to chose from - I would go for event hub. I would imagine the best solution in this case would be Microsoft Graph Security API Add-On for Splunk https://splunkbase.splunk.com/app/4564

Indeed B

B is the answer. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-to-qradar-and-splunk

There is a distinction between data connectors for receiving ( <a href="https://reminiapk.org/">ai</a>) data and data connectors for sending data